The highest court of Massachusetts recently held that a suspect can be compelled to enter his passcode to unlock and decrypt his cell phone where the government showed the suspect’s knowledge of the passcode was a foregone conclusion.

In Commonwealth v. Jones, SJC-12564 (Mass. Mar. 6, 2019), a grand jury indicted Dennis Jones for sex trafficking. During his arrest, the Commonwealth seized a cell phone. Based upon information that the phone included material evidence, the Commonwealth sought a warrant to search the phone. The warrant was issued but the Commonwealth could not execute it because the phone could only be unlocked and decrypted upon entry of a passcode.

The Superior Court denied the Commonwealth’s motion to compel Jones to unlock the phone on the ground that it would violate Jones’ privilege against self-incrimination under the Fifth Amendment to the U.S. Constitution and Article 12 of the Massachusetts Declaration of Rights. The lower court found that the government failed to prove that Jones’s knowledge of the passcode was a foregone conclusion.

Upon a renewed motion months later, the lower court again denied the motion, noting that additional evidence raised in the renewed motion had been available at the time the first motion was made and still did not change the conclusion. The government’s evidence came from a woman who called police and accused Jones of stealing her purse. She also then alleged that Jones induced her into working as a prostitute. The woman provided evidence that linked Jones to the cell phone and identified communications she had with Jones via the phone, as well as photos and other evidence on the phone related to prostitution.

The Massachusetts Supreme Judicial Court reversed and remanded, concluding that the foregone conclusion exception applied, that the Commonwealth met its burden, and the lower court should have considered the additional information raised in the renewed motion to compel entry of the passcode.

While recognizing the importance of the Fifth Amendment, the court noted that the privilege against self-incrimination did not apply to prohibit testimonial acts that conveyed facts already known to the government such that they are a “foregone conclusion.” Prior precedent in Massachusetts had extended the foregone conclusion to compel production of a password to encrypted computer files. The high court held that a defendant could be compelled to decrypt a device by entering a passcode if the government proved beyond a reasonable doubt that the defendant knows the passcode. The facts-including that the defendant had the phone with him when arrested, subscriber and other information about the phone that corroborated he had control over the phone, and the woman witness’s statements combined with reasonable inferences-were sufficient to meet that standard. Accordingly, the court reversed and remanded the case.

One justice concurred in the court’s holding, but would have required the government to show with reasonable particularity that it already knew of relevant files on the device, a standard the justice found was met with respect to Jones based on the facts used to conclude he knew the passcode. Because the majority decision did not require such a showing to access files on the phone once unlocked, the concurring justice described the decision as “sound[ing] the death knell for a constitutional protection against compelled self-incrimination in the digital age” because it allowed the government to compel access to “a trove of potential incriminating and highly personal data on an electronic device” simply by showing the defendant knows the passcode.

Sara Beth Kohut co-chairs the Cybersecurity, Privacy, and Data Protection group at Young Conaway in Wilmington, Delaware. Her practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She also advises clients on strategies for protecting information assets and complying with obligations governing the privacy and security of sensitive data.

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.